This is the second part of the blog series on Microsoft Azure Storage. In the first part, we discussed Microsoft Azure Storage across Storage Account, services, and features. In this part, we will explore the different types of Storage Accounts, various Blob Access Tiers, Storage Account Replication, Security, and Pricing. Besides, we will briefly look into business use cases.
Before we step in, let us walk you through two business use cases where Microsoft Azure Storage may be used. If you are a BFSI company, you may need to deploy a Security Information and Event Management (SIEM) solution for the network. A search engine is required under the hood to query, store and archive the data, including raw logs for compliance and auditing purpose. To achieve this, you can leverage the blob storage archive access tier of Microsoft Azure Storage. Another critical need for a business is to back up their data to avoid data loss in case of a calamity. Microsoft Azure Storage can be used to back up their data from applications so that they can be used in a consistent state. All the changes can be read from Azure Storage when you need to get your application’s backup.
Types of Microsoft Azure Storage Account
There are five types of storage accounts offered by Microsoft Azure Storage. Out of which, three are in the standard performance tier and two in the premium performance tier.
Within the standard performance tier, we have:
- General Purpose V2 (GPV2)
General Purpose V2 supports storage services such as offering your business with high capacity and high throughput, in addition to different types of blob storage and blob access tiers. Microsoft recommends this type of storage.
- General Purpose V1 (GPV1)
General Purpose V1 supports storage services mentioned in GPV2 except for support blob access tiers. It supports both ARM and classic deployment models and can be upgraded easily to GPV2.
- Blob Storage
Blob Storage only supports blob access tiers. Block blobs and append blobs are the only blob types supported by this type.
- Block Blob Storage
Block Blob Storage provides high transaction rates. It only supports block and append blobs and does not support blob access tiers. Solid-state drives back the Block Blob Storage.
- File Storage
File Storage is backed by solid-state drives, giving high performance and low latency.
Blob Access Tiers in Microsoft Azure Storage
In Microsoft Azure Storage, there are three blob access tiers:
- Hot Access Tier: Hot Access Tier stores the data that is frequently accessed. Storing data is expensive while retrieving data from this tier is cost-effective.
- Cool Access Tier: Cool Access Tier stores the data that is accessed the least. Storing the data is cost-effective than hot access, however, the transactions are expensive.
- Archive Tier: Archive Tier stores the data used for logging and auditing purposes. An ideal example can be auditing in the banking industry. The archive tier stores the data for 180 days. This storage is the most cost-effective of all three tiers, however, transactions are the most expensive as compared to the other tiers.
If you are unsure of the tier for your environment, remember that businesses can quickly move data and transition from one access tier to another as per the need.
Microsoft Azure Storage Account Replication
During a calamity or adverse situations, businesses need to protect their applications. In order to ensure the availability of your data, Microsoft Azure offers various replication techniques. By default, Microsoft Azure replicates your data in the primary region giving multiple options to expand on that.
The various redundancy options are:
Redundancy in the Primary Region
Locally Redundant Storage: In this storage, data is replicated three times synchronously in the same physical location or the data center. It is stored on a different server, however, not in a different location. This storage is the most cost-effective replication as compared to the other storage replications since redundancy takes place in the same data center. However, it is highly unsafe during any natural calamity or a network infrastructure failure where the entire data center is affected. Businesses should avoid using this option if their application requires high availability.
Zone Redundant Storage: In this storage, the data is replicated three times synchronously but in different zones. It uses the concept of Azure availability zones. Each zone has its own network infrastructure to revive continuity in business applications in case of any network failure in the primary data center.
Redundancy in the Secondary Region
Geo Redundant Storage: This storage employs LRS in your primary region and asynchronously copies data to the secondary region applying the same LRS type of replication.
Geo-Zone Redundant Storage: This storage employs ZRS in the primary region and LRS in the secondary region. Businesses need to keep in mind that the data in the secondary region is not available for read/write until a failover initiates.
Read Access to Data in Secondary Region
There are two options in this category of redundancy, which are the same as the above two options but only allow read access to the secondary region. These options are:
- Read-Access Geo Redundant Storage
- Read-Access Geo-Zone Redundant Storage
Storage Account Security
If a client is ready to migrate their data to the cloud, the first obvious question they will have is related to the security of their data. Microsoft Azure Storage offers various options to cater to that need. Below are a few:
Encryption
Encryption at Rest: Data can be encrypted at rest by using the encryption keys generated by Azure, or the customer can use their encryption keys. Azure Key Vault can be used to manage the keys. However, the storage account and Azure Key Vault should be in the same region. Disk encryption can also be used for the VHDs.
Encryption at Transit: For the data in transit, Microsoft Azure offers various secure channels to access the data. These include Azure VPN, Express Route, P2S and S2S infrastructure. For secured transfer, businesses can ensure data access requests are made through HTTPS protocol only, and the Azure Files can only be accessed using SMB 3.0 protocol.
Storage Account Keys
Whenever an Azure Storage Account is created, a pair of keys are automatically generated and associated with your account. You will need any one of the keys to ensure secured access to the containers or blobs. Anyone having the Shared Access Keys gets full access to the Storage Account. However, businesses can periodically regenerate the keys individually. Besides, you can also manage your Storage Account keys using your Azure Key Vault.
Shared Access Signatures
Businesses can strengthen their security using SAS tokens and assign fine-grained rights to your resources. SAS tokens are generated using your SAKs and attached to the endpoint of your service. These tokens have specific validity with an associated time, protocol, and policy. Businesses can have a signature associated with it that is generated using other parameters. When a request is made to a specific endpoint using this SAS token, Azure generates its own signature using the other parameters to validate whether the data access request has tampered with or not.
Access to Endpoints
Public Endpoint: This gives access to the account and its containers from the internet. If you want your data to be accessed from your internal network, you can ignore this option.
Public Endpoint (Selected VNet): Businesses can select their choice of VNets and IP ranges to access their Storage Account. If required, they can allow some specific trusted public IPs to read/write the data.
Private Endpoint: A private endpoint resource is created, which is used to allow the data to stay in your network altogether.
AAD and RBAC
Businesses can use Azure Active Directory (AAD) and Role-based Access Control (RBAC) to follow the principle of least privilege. You can ensure the user has a role assigned to him/her allowing access to specific data.
Firewalls and Proxies
In addition to all that, you can also set up firewall and proxy rules to block any unauthorized access to your data and mitigate the threat.
Pricing of Microsoft Azure Storage Services
The pricing of an Azure Storage Account service depends on various factors – what kind of service you want, if it is blob service then what is the type of access tiers you are utilizing, what is the location in which you want your account to be deployed, what is the kind of storage you choose, what kind of redundancy you require, what is the data retention policy if any, other dependent services you are using, etc.
Microsoft Azure does provide a few tools that can be used to estimate the cost that your business might incur as per your requirement. They are:
- Azure Pricing Calculator: You can choose storage accounts here and then, select the options as per your requirement and get an estimated cost. Link: https://azure.microsoft.com/en-in/pricing/calculator/
- Azure Total Cost of Ownership (TCO) Calculator: This is used to understand your current total cost of ownership regarding your on-prem workload and will recommend services in Azure. Link: https://azure.microsoft.com/en-in/pricing/tco/calculator/
More about Xoriant - Microsoft Partnership
Looking to adopt Microsoft Azure services into your existing software applications?
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal